Auth0 Home Blog Docs

How to get permissions for user?

Hello. I am using 05-Token-Renewal Example. Can’t understand how to get user’s permissions for specific API in very first authentication request along with other information about user.

Hi @alt1!

Thanks for joining us in the Auth0 Community!

Could you post the link for the specific example? I am not sure what you are referring to specifically.

For now, take a look at this doc describing how to get user’s permissions.

Furthermore, you could assign users roles (which have associated permissions), and then add those roles as a custom claim in a token. This is what I would recommend for most circumstances.

Let me know how it goes!

Thanks,
Dan

Thanks @dan.woda I have gone through these docs.
My scenario is like:

  • I have a user stored in Auth0 database connection
  • I have assigned a role to this user
  • This user has permissions associated with an API.

Now, when a user logs in, I want to send user role and permissions in the id_token and later on can extract from id_token JWT.

Currently, I am not getting this information in the id_token but with the help of a rule I was able to get roles from “Context.Authorization” and was able to add it to id_token. Now I want user permissions to be available inside the rule, so that I can attach those with the id_token.

@ilyas-shah,

Permissions aren’t available from the context object in rules as you have likely noticed. You could infer from your roles what permissions should be added. I think this is the intended relationship between roles and permissions, so you don’t have to include a group of permissions in a token. Just the user’s roles.

You could also make a call to the management api to see what permissions are associated with which role.

Thanks,
Dan

yes @dan.woda you are right, we can infer what permissions or accesses a user have on the basis of its role. Currently, I am using a rule and adding permissions(defined inside the rule) to the user id_token using custom claims.

Regarding making a management API call inside a rule will increase the response time of the “token” call, so I am trying to avoid that.

One more question I have:
How can we add roles/permissions to a user during signup and how much information about user we can store during sing up apart from basic profile?

thanks
Ilyas

What if I want to verify whether a user has certain permission in order to execute some custom action? This is a bit clumsy to verify a permission via user’s roles…

@ilyas-shah,

This FAQ demonstrates how to automatically add a role upon signup:

https://community.auth0.com/t/how-do-i-add-a-default-role-to-a-new-user-on-first-login/25857/3

This could also be changed to add a role based on email domain, IP, etc.

Hope this helps,
Dan

@quincy.milliman,

Just to be clear, we are talking about adding permissions to an id token. Typically the intent of permissions is to restrict access to an API. They are listed in an access token in an array with the key permissions, easily accessible.

If you are looking to make custom actions based on some data in an id token, you may be more interested in app_metadata.

Does this help? Otherwise we can work on your request further.

Thanks,
Dan

Hi @dan.woda ,

Thanks for the reply. But I did not have permissions in my access token when user logged in.

We use Flask Python OAuth.authorize_access_token() to get access token while user logged via Auth0. It looks like this :

{‘access_token’: ‘qJIV6Q…ByK9I’, ‘id_token’: ‘ey…_hSDncJrC2B1V_OFw_w’, ‘scope’: ‘openid profile email’, ‘expires_in’: 86400, ‘token_type’: ‘Bearer’, ‘expires_at’: 1562144867}

In the scope, there is no permission that I assigned to this user.

Maybe I misunderstand something?

@quincy.milliman,

Your access token is opaque. If you have it set with your custom api as an audience your access token should be a JWT, not an opaque token. This is at least true for how I have my test application set up. Try and configure it according to the doc linked below and see if your token looks like this:

{
  "iss": "https://YOUR-DOMAIN.auth0.com/",
  "sub": "auth0|5c...a31af",
  "aud": [
    "https://example-api",
    "https://YOUR-DOMAIN.auth0.com/userinfo"
  ],
  "iat": 1562104725,
  "exp": 1562104735,
  "azp": "rB4KnsA...VXKQOtLo9I",
  "scope": "openid profile email",
  "permissions": [read:reports]
}

Take a look at this doc:

1 Like

Hi Dan,

Thanks again for your reply. I am using authlib.flask.client.Oauth.register() with Python Flask and
auth.authorize_redirect(redirect_uri='http://localhost/callback', audience='https://{}/userinfo'.format(AUTH0_DOMAIN))
to login user. I have no idea where I shall put the audience parameter you had mentioned

I had added the following parameters :

            request_token_params={'audience': 'urn:auth0-authz-api'},
            access_token_params={'audience': 'urn:auth0-authz-api'},

But I still get an opaque token with no permission information.

@quincy.milliman

If you’re using the python example, you would add the audience in the .env file.

.env file of your python/flask app:

AUTH0_AUDIENCE=https://my-api/

or directly in the authorize request like this:

auth0.authorize_redirect(redirect_uri=AUTH0_CALLBACK_URL, audience='https://my-api/')

This is actually what you did, but you used the wrong audience. Don’t use the AUTH_DOMAIN + /userinfo there but the API identifier or your own API.

The audience is the identifier of your API, the one you registered in Auth0 in the Dashboard under Dashboard > APIs and to which you configured permissions/scopes:

Alternatively, if you only use one API for all your apps, you could as well set the default API for your entire tenant in the tenant settings. Then the client don’t need to explicitly add the audience in every authorize request.

Make sure that you have RBAC enabled in your API settings:

1 Like

Hi Mathias,

Thank you very much. I had tried what you said as

auth.authorize_redirect(redirect_uri=‘http://127.0.0.1:5000/callback’, audience=“urn:auth0-authz-api”)

Where my audience is an auth0 authorization extension api but it gave me the following URL:

http://127.0.0.1:5000/callback?error=unauthorized&error_description=no_end_users&state=M0xOABddGrhmP71Qmm6Dk1EZLY4zBD

What does that mean no_end_users?

Hi @quincy.milliman,

ok, gotcha! You want to get an access token to do things with the Authorization API. So, this seems to be a special case. It seems that by default the extension expects that calling this API would be via M2M (machine to machine) and not on behalf of a user. (Not exactly sure why that is in place TBH, I guess as a precaution so that the API isn’t mistakenly opened to end users).

Anyway, the reason you’re getting this no_end_user is because of a rule in place. Go to the Dashboard > Rules and look for the auth0-authorization-extension rule. In there you fine the marked lines that cause the return.
If you comment the lines in, then it will work.

2 Likes

Hi Mathias,

Thank you again for the reply and explanation. Our system is a RESTful middleware application which is indeed at some point opened to the end users to interact with the user/group management by assigning some end user a particular role/permission.

We had reconsidered our designed and decided to split these 2 parts (login and permission check via API extension) to prevent end user directly interact with the auth0-authorization-extension as the following design :

ChessDesignDocument-Copy%20of%20Auth0%20(1)

With this structure, all the end user have to pass through our middleware application in order to manipulate the user/group/permissions.

Thanks again for the prompt response!